短暂延迟后,API 状态会变为“已启用”。如果没有看到
Android Device Provisioning Partner API,请检查您的组织是否已完成初始配置
进行零触摸注册请确保您对
零触摸注册和 Google API 控制台。咨询您的 Google 平台解决方案
让顾问确认您的 Google 账号是否有权访问该 API。
第 4 步:关联服务账号
将服务账号与贵组织的零触摸注册账号相关联后,该服务账号便有权代表贵组织发出 API 调用。请按照以下步骤关联您的服务账号:
[null,null,["最后更新时间 (UTC):2025-07-25。"],[[["\u003cp\u003eAPI calls to the zero-touch enrollment reseller API require authorization to protect your organization's data, and this is achieved by creating a service account, storing its JSON key file, enabling the API, and linking the account.\u003c/p\u003e\n"],["\u003cp\u003eA service account, representing an application rather than a user, is created in the Google API Console to call APIs, with a new project recommended for easier management and access.\u003c/p\u003e\n"],["\u003cp\u003eThe JSON key file, which contains the private key, must be kept private and secure, and is used to authenticate API calls made by your service account, with a warning that these keys can become a security risk if they are not managed carefully.\u003c/p\u003e\n"],["\u003cp\u003eBefore your app can use the API, it needs to be enabled within the API Console, which associates it with the current project and allows for monitoring, by searching for and enabling the \u003cem\u003eAndroid Device Provisioning Partner API\u003c/em\u003e.\u003c/p\u003e\n"],["\u003cp\u003eLinking the service account with your organization's zero-touch enrollment account in the portal is necessary to authorize the service account to make API calls on behalf of your organization.\u003c/p\u003e\n"]]],["To authorize API calls, first, create a service account in the Google API Console, generating and storing a JSON key file. Next, enable the *Android Device Provisioning Partner API* within the project. Finally, link the service account to your organization's zero-touch enrollment account via the portal, using the service account's email address. Use the `https://www.googleapis.com/auth/androidworkprovisioning` scope for OAuth 2.0 access tokens. This process allows the service account to make API calls on behalf of the organization.\n"],null,["API calls to the zero-touch enrollment reseller API need authorization.\nRequiring authorization protects your organization's data. To authorize calls to\nthe zero-touch enrollment API, you need to complete the following tasks:\n\n1. [Create a service account](#create-service) to call the APIs.\n2. [Store the JSON key file](#store-key) to authorize the API calls.\n3. [Enable the API](#enable-api) to make it available to the service account.\n4. [Link the service account](#link-account) to make API calls on behalf of your organization.\n\nUse the instructions below to help you complete the tasks.\n| **Note:** Before you start, your organization needs to be [onboarded](/zero-touch/guides/get-started#onboard-check) into zero-touch enrollment. You'll also need to request API access from your Google Platform Solutions Consultant. Confirm that you can access the [portal](https://enterprise.google.com/android/zero-touch/resellers) using your Google Account associated with your corporate email. Use the same Google Account for the portal and Google API Console when following the instructions below.\n\nStep 1: create a service account\n\nA service account, sometimes called a robot account, is a Google Account\nrepresenting applications instead of users. Your app calls APIs on behalf of the\nservice account, so users aren't directly involved. Because your app is using\nGoogle APIs, use the Google API Console to set up access.\n\nCreate an API Console project\n\nIt's good practice to create a new API Console project and service\naccount for your app. This makes managing access, managing resources, and fixing\nlost keys easier in the future. Start by following the steps below to create a\nnew project in Google API Console:\n\n1. Go to the [API Console](https://console.cloud.google.com/).\n2. From the projects list, select **[Create a project](https://console.cloud.google.com/projectcreate)**.\n3. Enter a name that describes your app and zero-touch enrollment.\n4. Specify a project ID or accept the default.\n5. Click **Create**.\n\nTo find out more, read the Google Cloud Platform document [Manage projects in\nthe console](https://support.google.com/cloud/answer/6158853).\n\nAdd new service credentials\n\nTo add new credentials and a service account to your project, follow the steps\nbelow in your API Console.\n\n1. Open the [**Service accounts** page](https://console.cloud.google.com/iam-admin/serviceaccounts). If prompted, select a project.\n2. Click add **Create Service Account** , enter a name and description for the service account. You can use the default service account ID, or choose a different, unique one. When done click **Create**.\n3. The **Service account permissions (optional)** section that follows is not required. Click **Continue**.\n4. On the **Grant users access to this service account** screen, scroll down to the **Create key** section. Click add **Create key**.\n5. In the side panel that appears, select the format for your key: **JSON** is recommended.\n6. Click **Create** . Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of this key. For information on how to store it securely, see [Managing service account keys](https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys).\n7. Click **Close** on the **Private key saved to your computer** dialog, then click **Done** to return to the table of your service accounts.\n\nCopy the email address of the service account and keep it handy. You need it\nlater when you link the service account to your organization.\n\nStep 2: store the JSON key file\n\nAPI Console generates a new private key pair used to authenticate\nAPI calls made using your service account. The private key is in the JSON key\nfile you download.\n\nYou should keep the key private, so don't include it in your app's source code.\nIf you lose the key file, you need to generate a new pair of keys.\n| **Warning:** Service account keys can become a security risk if not managed carefully. For advice see [best practices for managing API keys](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys).\n\nStep 3: enable the API\n\nBefore your app can use the API, you need to enable it. Enabling an API\nassociates it with the current API Console project and adds\nmonitoring pages in your console.\n\nTo enable the API, follow the steps below in your API Console:\n\n1. Click **APIs \\& Services \\\u003e [Library](https://console.cloud.google.com/apis/library)**.\n2. Use the search field to find the [*Android Device Provisioning Partner API*](https://console.cloud.google.com/apis/library?q=Android%20Device%20Provisioning%20Partner%20API).\n3. Click *Android Device Provisioning Partner API*.\n4. Click **Enable**.\n\nAfter a short delay, the API status changes to enabled. If you don't see\n*Android Device Provisioning Partner API*, check your organization's onboarded\ninto zero-touch enrollment. Make sure you're using the same Google Account for\nzero-touch enrollment and Google API Console. Ask your Google Platform Solutions\nConsultant to check your Google Account has access to the API.\n\nStep 4: link the service account\n\nLinking the service account with your organization's zero-touch enrollment\naccount authorizes the service account to make API calls on behalf of your\norganization. Follow the steps below to link your service account:\n\n1. Open the zero-touch enrollment [portal](https://enterprise.google.com/android/zero-touch/resellers). You might need to sign in.\n2. Click settings_ethernet **Service\n accounts**.\n3. Click add **Link service account**.\n4. Set **Email address** to the address of the service account you created.\n5. Click **Link service account** to use the service account with your zero-touch enrollment account.\n\nIf you can't find the email address of the service account you created, copy it\nfrom one of the following places:\n\n- The **Service account email** from [**Service accounts** page](https://console.cloud.google.com/iam-admin/serviceaccounts) in the Google API Console.\n- The `client_email` property field in the JSON key file.\n\nYour service account can now make calls to the reseller API on behalf of your\norganization.\n\nTry out the API\n\nTest that your API access is working by following the steps in [Get\nstarted](/zero-touch/guides/get-started).\n\nAuthorization scopes\n\nUse the API authorization scope\n`https://www.googleapis.com/auth/androidworkprovisioning` in your app to request\nan OAuth 2.0 access token.\n\nA scope parameter controls the set of resources and operations that an access\ntoken permits calls to. Access tokens are valid only for the set of operations\nand resources described in the scope of the token request. The API covers all\nthe methods and resources with the single zero-touch enrollment scope shown\nabove.\n\nFor an example of the zero-touch enrollment scope used with the Google API\nclient library, see [Get started](/zero-touch/guides/get-started#sample). To learn more about using\nGoogle API scopes, read\n[Using OAuth 2.0 to Access Google APIs](/identity/protocols/OAuth2)."]]
